Re: Follow up to password vs pass-phrase discussion

["Davis, Thomas R" <tdavis () IU EDU>]

Kamnab,

We use passphrases exclusively:

 http://kb.iu.edu/data/acpu.html
 
-- 
Tom Davis, CISSP, CISM
Chief Security Officer
Public Safety and Institutional Assurance
Indiana University
https://informationsecurity.iu.edu/Tom_Davis


On Apr 27, 2010, at 3:22 PM, Kamnab Keo/FS/VCU wrote:

> Does anyone advocate the use of pass-phrases vs passwords and allowing users the ability to use pass-phrases if they 
> want to?  For example, do you allow your users to use pass-phrases that consist of 15 characters or more with no 
> complexity requirements but passwords with 7 to 14 characters must have some type of complexity (uppercase, number, 
> special character)?  Also does anyone have separate password policies for users that access sensitive systems?  If 
> so, what types of password policies are used? 
>
> Thanks, 
>
>
>
>
> Kamnab Keo
> IT Risk Management Analyst   
> Virginia Commonwealth University 
>
> VCU Information Security - http://infosecurity.vcu.edu/
> Information Security News, Tips & More - http://www.twitter.com/vcuinfosec 
> Information Security Best Practices - http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf
>
> Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply 
> with your password, Social Security number or confidential personal information.  For more details visit 
> http://infosecurity.vcu.edu/phishing.